M365 Entra ID Risk Detection Signal

Identifies Microsoft Entra ID (formerly Azure AD) risk detection signals including risky sign-ins, compromised credentials, impossible travel, and other identity-based anomalies. These events indicate potential credential compromise, account takeover attempts, or suspicious authentication patterns detected by Microsoft's identity protection. This building block rule generates security events for correlation, threat hunting, and telemetry collection to support detection of credential access and initial access attempts.

Rule type: query
Rule indices:

logs-o365.audit-*
filebeat-*

Rule Severity: low
Risk Score: 21
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

Tags:

Domain: Cloud
Domain: SaaS
Data Source: Microsoft 365
Data Source: Microsoft 365 Audit Logs
Data Source: Microsoft Entra ID
Data Source: Microsoft Entra ID Protection
Use Case: Threat Detection
Use Case: Identity Threat Detection
Tactic: Credential Access
Tactic: Initial Access
Rule Type: BBR

Version: 1
Rule authors:

Elastic

Rule license: Elastic License v2

Additional notes

For information on troubleshooting the maximum alerts warning please refer to this guide.

Rule Query

event.dataset:o365.audit and event.code:AadRiskDetection

Framework: MITRE ATT&CK

Tactic:
- Name: Credential Access
- Id: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: Brute Force
- Id: T1110
- Reference URL: https://attack.mitre.org/techniques/T1110/

Framework: MITRE ATT&CK

Tactic:
- Name: Initial Access
- Id: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
Technique:
- Name: Valid Accounts
- Id: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
Sub Technique:
- Name: Cloud Accounts
- Id: T1078.004
- Reference URL: https://attack.mitre.org/techniques/T1078/004/